-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Windows Movie Maker and Microsoft Producer IsValidWMToolsStream() Heap Overflow 1. *Advisory Information* Title: Windows Movie Maker and Microsoft Producer IsValidWMToolsStream() Heap Overflow Advisory Id: CORE-2009-0813 Advisory URL: http://www.coresecurity.com/content/movie-maker-heap-overflow Date published: 2010-03-09 Date of last update: 2010-03-09 Vendors contacted: Microsoft Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: N/A CVE Name: CVE-2010-0265 3. *Vulnerability Description* Windows Movie Maker is a video creating/editing software, which is included by default in Windows Vista and XP. Microsoft Producer is an add-in for PowerPoint to create rich-media presentations. A vulnerability was found in Windows Movie Maker and Microsoft Producer, which can be triggered by a remote attacker by sending a specially crafted file and enticing the user to open it. This vulnerability results in a write access violation and can lead to remote code execution. 4. *Vulnerable packages* . Windows Movie Maker The following Windows versions ship with a vulnerable version of Windows Movie Maker by default: . Windows Vista. . Windows Vista Service Pack 1. . Windows Vista Service Pack 2. . Windows XP Professional x64 Edition. . Windows XP Service Pack 2. . Windows XP Service Pack 3. . Microsoft Producer for PowerPoint. 5. *Non-vulnerable packages* . Windows Live Movie Maker (downloadable component for Windows 7). 6. *Vendor Information, Solutions and Workarounds* Microsoft has addressed the vulnerability in Movie Maker by issuing an update located at http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx The security update for Microsoft Producer 2003 is unavailable at this time. The workarounds and mitigations are: . Avoid opening .MSWMM Movie Maker files or .MSProducer Microsoft Producer files from untrusted sources. . Remove the Movie Maker .MSWMM file association and/or remove the Microsoft Producer 2003 .MSProducer, .MSProducerZ, and .MSProducerBF file associations. . Replace Microsoft Producer with a new version when it comes out or with the current Beta version. Refer to the Microsoft Security Bulletin MS10-016 [2] for more information. 7. *Credits* This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies during Bugweek 2009 [1]. 8. *Technical Description / Proof of Concept Code* An exploitable vulnerability was found in Windows Movie Maker, which can be triggered by a remote attacker by sending a specially crafted .MSWMM file and enticing the user to open it. This vulnerability results in a write access violation and can lead to remote code execution. The root cause of this is the function IsValidWMToolsStream(), in which *pbuffer is used twice with 2 different sizes. The second time, the data is read from the MSWMM file, and pbuffer is not re-allocated before it is re-used. If the size read from the file is bigger than the initial internal value, this results in a buffer overrun. The following is an excerpt of the vulnerable code: /----- CDocManager::IsValidWMToolsStream(bool *)+EB push dword ptr [valueFromFile];0x8888 CDocManager::IsValidWMToolsStream(bool *)+EE call ??2@YAPAXI@Z ; operator new(uint) CDocManager::IsValidWMToolsStream(bool *)+F3 pop ecx CDocManager::IsValidWMToolsStream(bool *)+F4 mov [pBuffer], eax CDocManager::IsValidWMToolsStream(bool *)+F7 mov [ebp-40h], eax CDocManager::IsValidWMToolsStream(bool *)+FA mov byte ptr [ebp-4], 2 CDocManager::IsValidWMToolsStream(bool *)+FE push dword ptr [ebp-2Ch] ; int CDocManager::IsValidWMToolsStream(bool *)+101 mov ecx, esi CDocManager::IsValidWMToolsStream(bool *)+103 push ebx ; int CDocManager::IsValidWMToolsStream(bool *)+104 push edi ; wchar_t * CDocManager::IsValidWMToolsStream(bool *)+105 call ?ExtractData@CDocManager@@QAEJPBGPAXJ@Z ; CDocManager::ExtractData(ushort const *,void *,long) CDocManager::IsValidWMToolsStream(bool *)+10A mov esi, eax CDocManager::IsValidWMToolsStream(bool *)+10C test esi, esi CDocManager::IsValidWMToolsStream(bool *)+10E jge short loc_118158A CDocManager::IsValidWMToolsStream(bool *)+110 mov byte ptr [ebp-4], 1 CDocManager::IsValidWMToolsStream(bool *)+114 cmp dword ptr [pBuffer], 0 CDocManager::IsValidWMToolsStream(bool *)+118 jz short loc_1181578 CDocManager::IsValidWMToolsStream(bool *)+29E push [pBuffer] ; void * CDocManager::IsValidWMToolsStream(bool *)+2A1 call ??3@YAXPAX@Z ; operator delete(void *) CDocManager::IsValidWMToolsStream(bool *)+2A6 pop ecx - -----/ Note that the same Proof of Concept file used to trigger the bug in Movie Maker can be used to trigger the bug in Microsoft Producer, by changing its extension from ".MSWMM" to ".MSProducer". 9. *Report Timeline* . 2009-08-14: Core Security Technologies notifies the Microsoft team of the vulnerability and sends a technical description and proof of concept file. A preliminary publication date is set for November 17th, 2009. . 2009-08-14: The Microsoft team acknowledges receipt of the report. . 2009-08-18: Core resends the proof of concept file (the original contained a mistake). . 2009-08-27: Core requests from the Microsoft team an update on the vulnerability status. . 2009-08-28: The Microsoft team confirms that the bug results in an access violation and that they are assessing the exploitability of the bug. . 2009-09-08: The Microsoft team informs Core that their analysis confirms the bug is exploitable, and that it will be addressed in a security bulletin; that they are still working on estimating a release schedule and identifying other software products and versions affected by the issue; that they believe that the scheduled publication date (November 17th) cannot be met by a security update; and requests that Core postpones publication. . 2009-09-14: To delay the publication until December 15th, Core requests from the Microsoft team detailed information on the bug including: field format details and cause of the flaw; applications and versions affected; vendor fix schedule; and updates at least once every two weeks. . 2009-09-16: The Microsoft team informs Core that they are looking into what amount of detail they can provide on their fix plans. The Microsoft team also promises to keep in touch with more technical information to work on a mutual arrangement. . 2009-10-26: Core again requests additional information about the vulnerability and Microsoft's plan to produce a fix. In particular Core requests information about Microsoft's other products which are able to parse the same document format, and may be affected by the vulnerability. . 2009-11-04: Core again requests a response to the questions formulated in the previous communication. . 2009-11-05: Microsoft promises to send an answer the following week. . 2009-11-09: Microsoft sends technical information about the bug, including a list of affected versions and platforms. Its investigation indicates that the issue can lead to Remote Code Execution and that fixes are currently forecast to ship as an Important severity class issue in their bulletin. Microsoft also requests that Core postpones publication until February 9th, 2010. . 2009-11-11: Core acknowledges receipt of the previous mail, and reschedules publication of its advisory to February 9th, 2010. . 2010-01-22: Microsoft resends the technical analysis of the vulnerability. . 2010-02-02: Core checks whether Microsoft is still on track to release fixes on February 9th, 2010, and requests a list of non affected versions and vendor information to include in the advisory. . 2010-02-03: Microsoft informs Core that Microsoft Producer 2003 is vulnerable to the reported vulnerability; as Producer 2003 is an out of box tool, the support for this product will end when it is replaced with a newer version. Microsoft states that a new version of Producer will be released in March 2010 alongside of the Office 2010 release. Microsoft requests that Core coordinates its advisory release with Microsoft's bulletin and new product launch on March 9th, 2010. . 2010-02-24: Microsoft informs Core that they ran into some issues with this update, and requests a conference call to discuss options. . 2010-02-25: Conference call between Core and MSRC. Microsoft informs Core that fixes for Movie Maker are ready to be released, but that the release of a new version of Producer (alongside the release of Office 2010) has been postponed from March 9th to an unspecified date. Microsoft requests that Core postpones the publication of its advisory to an unspecified date, in order to coordinate the release of fixes for Movie Maker and the launch of the new Producer version. Core says that from its point of view, not releasing the available fixes for Movie Maker increases the risk to affected users. Core does not agree to postpone publication of its advisory (for the 4th time) beyond March 9th, since fixes for Movie Maker are available, and their release would be delayed to an undetermined date to match with the release of a new product (Office 2010). Core confirms that it will publish advisory CORE-2009-0813 on March 9th to inform affected users of the risk created by this vulnerability. . 2010-02-26: Core informs Microsoft that the Proof of Concept file used to trigger this vulnerability in Movie Maker can be trivially modified to reveal the bug in Microsoft Producer, by changing its extension from ".MSWMM" to ".MSProducer". Core sends an updated version of advisory CORE-2009-0813 as requested by Microsoft. . 2010-03-09: Microsoft Security Bulletin MS10-016 [2] is released, which fixes the vulnerability in Movie Maker. . 2010-03-09: The advisory CORE-2009-0813 is published as user release. 10. *References* [1] About Core Security's Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek [2] Microsoft Security Bulletin MS10-016 http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuWvrcACgkQyNibggitWa1XQACeI3uhCN5nVjAjseSZpRh0R2Bn 0T4An2XAB94FkLyN0Pq5G3NWzOzM9Ibq =efAg -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/